From SoylentNews
Jump to navigation Jump to search

CssWork - parent Development DevelopmentWorkCurrentlyInProgressSlashDocumentationIndex PollingVotingNotesAudioguy

This is current problems/tasks/working notes.

To Do

  • 1 Gathering docs, understanding code - ongoing
  • 2 Walk through all admin access in slash and see where javascript can be dumped, what other fixes needed - put off for a few days while I try to fix htacces problem
  • 3 Try minified javascript - in place testing - moved by Eric to main repository
  • 4 Solve htaccess problem for staff slash/wiki - in process (see CommunicationSystems)
  • 5 Solve topic add problem - put off until #2 is in process.
  • 6 Created SystemAdministration wik area, writing emergency procedure - finished.
  • Temporary staff poll thingie - in progress----

The htaccess problem

Put an htaccess file in the html folder for slash, as I have done hundreds to times before...and it did not work.

Specifically, it did nothing at all.

No error, just...nothing.

Nothing in log that revealed much.

A problem with debugging this is the presence of 'Varnish' a cache ahead of the server. However, in the end I am told this is not, on this particular server, doing anything but passing the requests through.

First problem noted was that in the main apache config, the directive AllowOverride None was in place. this prevents anything in htaccess files from overriding the main config. Changed to AllowOverride All. Still not working. Checked the local apache config in the site/ dir and saw that had another such directive. Changed that one. Still not working. Decided to give up on htaccess completely, and put the directives into the main apache file. Still not working.

Noticed, however, this in the slash apache config file:

    # Fourth Apache phase:  access control
    PerlAccessHandler  Slash::Apache::Banlist
    PerlAccessHandler  Slash::Apache::User

The slash apache module has taken control of the Apache access control phase.

I am pretty sure this means that ONLY the perl modules now can operate in that phase, as in apache 1.3, there is just a traversal through the different phases, and whoever handles the phase causes apache to go on to the next phase.

Tried to check the docs to confirm this, but apache has removed 1.3 docs from their site.

Finally found an old 1.3 source on a backup, grabbed the docs out of this, and read:

-- Apache breaks down request handling into a series of steps, more or less the same way the Netscape server API does (although this API has a few more stages than NetSite does, as hooks for stuff I thought might be useful in the future). These are:

  • URI -> Filename translation
  • Auth ID checking [is the user who they say they are?]
  • Auth access checking [is the user authorized here?]
  • Access checking other than auth
  • Determining MIME type of the object requested
  • `Fixups' --- there aren't any of these yet, but the phase is intended as a hook for possible extensions like SetEnv, which don't really fit well elsewhere.
  • Actually sending a response back to the client.
  • Logging the request

These phases are handled by looking at each of a succession of modules, looking to see if each of them has a handler for the phase, and attempting invoking it if so. The handler can typically do one of three things:

  • Handle the request, and indicate that it has done so by returning the magic constant OK.
  • Decline to handle the request, by returning the magic integer constant DECLINED. In this case, the server behaves in all respects as if the handler simply hadn't been there.
  • Signal an error, by returning one of the HTTP error codes. This terminates normal handling of the request, although an ErrorDocument may be invoked to try to mop up, and it will be logged in any case.

Most phases are terminated by the first module that handles them; however, for logging, `fixups', and non-access authentication checking, all handlers always run (barring an error)


So in short, if perl decides to handle the 'access' phase, Apache cannot.

I am now 99% certain that I cannot use htaccess or any other access phase functions on the apache server with slash.

However, the slash system itself has all that is required to do this, I just need to find a way to use it.

And an looking now...

Proposed solution:

Slash always checks if a user is logged in early in the page generation process. Find that place, and modify it to redirect all users who are not logged in to a login page (which must be created.)

Tracing through code now...

A redirect to this page might work:

Trying a staff.shtml static version of that page... And that worked fine to log me in.

Now, will it work with no links on the side, or those links disabled?

Looking for a 'hook'

These pages use perl scripts:

- on front page- (listed as older stuff) (listed as past polls) (listed as submit story) This is the link on the users name when logged in. Must be a redirect? 
also most recent journal entries go to similar urls 
like - older stuff box, date link older stuff box, article link older stuff,'older articles' 'yesterdays news'

-the topic images- 

- static shtml file links -
You don't have permission to access /faq/index.shtml on this server. - 'about' on main menu - 'faq' on main menu

authors.shtml - exists, but link goes to .pl version
hof.shtml - when accessed directly, goes to a summary of Most Active Stories etc
moderation.shtml - an textual page explaining what moderation is about
slashguide.shtml - goes to: which shows error:
     "Forbidden You don't have permission to access /faq/index.shtml on this server."
staff.shtml - redirects internally to a login function - My page!!!!!!
topics.shtml - shows essentially same result as list of topics.

-Main home logo- actually goes to index.shtml 

- the 'my' redirection create account/login

Routines in the chief .pl pages:

# require POST and logged-in user for these ops
        my $user_ok   = $user->{state}{post} && !$user->{is_anon};

 # possible value of "op" parameter in form
        my %ops = (
                edit            => [ !$user->{is_anon}, \&editArticle           ],
                removemeta      => [ !$user->{is_anon}, \&articleMeta           ],
       # require POST and logged-in user for these ops
        my $user_ok   = $user->{state}{post} && !$user->{is_anon};

display_prefs   => [ !$user->{is_anon}, \&display_prefs         ],
                save_prefs      => [ $user_ok,          \&save_prefs            ],
                list_messages   => [ !$user->{is_anon}, \&list_messages         ],
No obvious check 
no obvious check
no obvious check
no obvious check
 my @redirect_ops;

        push @redirect_ops, "title=" . strip_paramattr($form->{subj}) if $form->{subj};
        push @redirect_ops, "url=" . strip_paramattr($form->{url}) if $form->{url};
        if ($form->{subj} || $form->{url}) {
                push @redirect_ops, "new=1";

       my %ops = (
                blankform               => [1,                  \&blankForm],
                previewstory            => [1,                  \&previewStory],
                pending                 => [!$user->{is_anon},  \&yourPendingSubmissions],
                submitstory             => [1,                  \&saveSub],
                list                    => [$submiss_view,      \&submissionEd],
                viewsub                 => [$submiss_view,      \&previewForm],
                update                  => [$user->{is_admin},  \&updateSubmissions],
 my $op = lc($form->{op} || 'default');
        $op = 'default' if !$ops{$op} || !$ops{$op}[ALLOWED];

        # require POST and logged-in user for these ops
        my $user_ok   = $user->{state}{post} && !$user->{is_anon};

        # possible value of "op" parameter in form
        my %ops = (
                edit            => [ !$user->{is_anon}, \&editArticle           ],
                removemeta      => [ !$user->{is_anon}, \&articleMeta           ],

                preview         => [ $user_ok,          \&editArticle           ],
                save            => [ $user_ok,          \&saveArticle           ],

        # waits until it's inside the op's subroutine to print
        # its header.  Headers are bottlenecked through _printHead.

        my $op = lc($form->{op}) || '';
        if (!$op || !exists $ops{$op} || !$ops{$op}[ALLOWED]) {
                $op = 'default';

sub main {
my $start_time = Time::HiRes::time;
        my $constants   = getCurrentStatic();
        my $user        = getCurrentUser();
        my $form        = getCurrentForm();
        my $slashdb     = getCurrentDB();
        my $reader      = getObject('Slash::DB', { db_type => 'reader' });

        return if redirect_home_if_necessary();

sub redirect_home_if_necessary {
        my $user = getCurrentUser();
        my $form = getCurrentForm();
        my $script = '';
        if (!$user->{is_anon} && defined $form->{usebeta}) {

        if (       $form->{op} && $form->{op} eq 'userlogin' && !$user->{is_anon}
                || $form->{upasswd}
                || $form->{unickname}
        ) {
                # Any login attempt, successful or not, gets
                # redirected to the homepage, to avoid keeping
                # the password or nickname in the query_string of
                # the URL (this is a security risk via "Referer").
                # (If we've determined the user needs to go to
                #, send them there.)  Note that
                # $form->{returnto} is processed by
                # Slash::Apache::User::handler, which for reasons
                # of a mysterious bug defers the actual redirect
                # to be handled by this script.
                $script = $form->{returnto} || '/';

        if ($script) {
                return 1;

conclusion so far

There is not consistent way to handle security level on all he pl pages, they all either don't handle it at all, or handle it in different ways.

What is there consistently is:

  • Inclusion of User and Utillity libs
  • A main() routine
  • there may be differences in how they call header, but all do in some fashion.
  • They all call footer()
  • redirect is in utility / (in lib64)
sub redirect {
        my($url, $code) = @_;
        $code = 302 if !$code || $code != 301;
        my $constants = getCurrentStatic();
        $url = url2abs($url);
        my $r = Apache->request;

        $r->content_type($constants->{content_type_webpage} || 'text/html');
        $r->header_out(Location => $url);

        slashDisplay('html-redirect', { url => $url, code => $code });

Try to get to redirect to my staff page

This works, right before the header call:

if ($user->{is_anon} )

        header(getData('head'), $form->{section}, $data) or return;



makes code easier if(privatesite) {} with button in admin interface

0 - off 1 = private.

List all pages and give list to paul for incorporation.

private_site variable set to 1 - this is the name

# if ($user->{is_anon}  && $private_site ) {redirect("/staff.shtml"); }
# may need to add a local private site and do what is needed to get it first

This is how constants in vars are accessed:

 my $constants = getCurrentStatic();

 if ($constants->{body_bytes}) {}

Ok, so this should work:

Must first make sure my $constants = getCurrentStatic(); earlier, then


if (   $user->{is_anon}  &&  $constants->{private_site} ) {redirect("/staff.shtml"); }

# should change name of staff.shtml to loginonly.shtml or justlogin.shtml

Discuss code style.

Suggest voluminous comments with option to emove easily with a grep -v

Hard left # for comments to be remove, code indented as usual.

# Code added Sun Mar  9 13:33:10 PDT 2014 - audioguy
#  to add a private slash option.
# If database table 'vars' variable 'private_site' != 0 then site is private
#  and all non-logged in users will be redirected to a login page.
# This code requires my $constants = getCurrentStatic(); declared earlier to 
#  insure the constant 'private_site' (set in admin interface, variables) 
#  is available locally. ( also $user = getCurrentUser(); )
# This routine must be added to all publicly available .pl scripts 
#  (pages, not inclusions), just prior to the first header() call.
    if( $user->{is_anon}  &&  $constants->{private_site} ) { redirect("/loginonly.shtml"); }

Change the page staff name to reflect its real usage: loginonly.shtml

Perl pages that are known to require this change:  -> /usr/local/slash/plugins/Admin/  -> /usr/local/slash/themes/slashcode/htdocs/ -> /usr/local/slash/plugins/Journal/ -> /usr/local/slash/plugins/Messages/ -> /usr/local/slash/themes/slashcode/htdocs/

# problem -> /usr/local/slash/themes/slashcode/htdocs/
# even thugh the link points to this script, iy is never executed. I can rename it, no
# effect. It is actually authors.shtml that is executed. Must be a redirect somewhere.
# must track down and fix this when the shtml pages are fixed.
# You would think directly calling would call it...  -> /usr/local/slash/plugins/Search/ - page with many links - NEED TO CHECK THEM ALL - maybe this pages needs redirect - Needs redirect,

Perl scripts in htdocs that need to be tested as possible side channels: - shows a double page when called directly - normal menus - blanl page, no memus, nothing dangerous with or without javascript - nothing for yu to see here message, has normal side menus - Internal Server Error direct from apache. - goes to - varnish error: Error 503 Service Unavailable - The server encountered an internal error or misconfiguration but with normal menus - blank page, with normal menus. - most active, most visted, may need redirect. - Apache internal server error - Goes back to index page, CHECK - apache server error with full menus - seems to go just to index page CHECK - pure white screen with plain text message "You need to supply the name of a user." - error, with menus, The requested URL ( was not found. - admin reports page, FIX? TEST - apacche internal eror with normal menus - admin page showing user security level, other stuff CHECK - seems to just redirect to normal index CHECK

21:09	stderr	Hmm... Can you use an AuthUser on a virtual host that acts like a proxy?
	NCommander		audioguy, oh wait, you're using varnish

	NCommander	You need a fucking hack in slash to make that work
	NCommander	There's a sanity check I stabbed out that causes slash to act stupid when its varnished
	audioguy	That is what I was afraid of. Wondering if there is a simple way to do the same thing in slash code.
21:10	NCommander	I think the patch is on the master branch, if not, you need to grep for "X-Forwarded-By" in slashcode

mechanicjay		audioguy: is it borked?

21:45	mechanicjay	Varnish is passing everything through
	audioguy	It is getting in the way of me trying to debug a problem
	audioguy	I am trying to use .htaccess files, it is not letting me see the real errors,
	audioguy	Logs shows this:
	audioguy	[Wed Mar 5 05:40:08 2014] [error] :Slash::Utility::Environment:/usr/local/lib64/perl5/Slash/Utility/ getSkin for empty skid='' ;; Which was called by:Slash::Apache:/usr/local/lib64/perl5/Slash/
21:46	mechanicjay	Varnish should not be caching anything for the slashcott domain. I'll double check right now

Minifed javascript for jquery

This has now been placed on slashcott as a test to see if it workable on the main site.

I simply replaced the file in




after backing the original up, of course:

[root@slashcode jquery]# pwd
[root@slashcode jquery]# ls
jquery-1.3.2.js          jquery.autogrow.js     jquery.textselection.js  ui.sortable.js
jquery-1.3.2.min.js      jquery.elastic-1.6.js  ORIGINALjquery-1.3.2.js  ui.tabs.js
jquery.autocomplete.css  jquery.lazyload.js     ui.core.js
jquery.autocomplete.js   jquery.metadata.js     ui.draggable.js

The minified version is about 50% smaller.

  57254 Mar  5 14:33 jquery-1.3.2.js
  57254 Mar  5 14:30 jquery-1.3.2.min.js
 120764 Mar  3 20:21 ORIGINALjquery-1.3.2.js

  • [[1]] git - themes


Tue Mar 11 15:49:11 2014 forked; in 49s
Tue Mar 11 15:49:12 2014 [] begin (31934)
Tue Mar 11 15:49:12 2014 [] Can't call method "getTagboxes" on an undefined value at /tmp
/PGUkbKEnL8 line 65.
Tue Mar 11 15:49:12 2014 odd exit (status 25, signal 0)
Tue Mar 11 15:49:50 2014 sent SIGUSR1 to running tasks: pid 6370 ( pid 6416 
( pid 6501 (
Tue Mar 11 15:49:50 2014 Exiting slashd (TERM) with pid 6324
Tue Mar 11 20:27:31 2014 Starting slashd with pid 5713
Tue Mar 11 20:27:31 2014 Starting slashd on soylent-www (verbosity 2) with pid 5713
Use of uninitialized value $ENV{"SF_SYSTEM_FUNC"} in pattern match (m//) at /tmp/SzlreZ9fNi line 2
Tue Mar 11 20:27:31 2014 requiring '/srv/' raised exception: Can't locate File/ in @INC (@INC contains: /srv/ /srv/ /s
rv/ /srv/
rl5/site_perl/5.10.1 .) at /tmp/cfoF1coqdw line 17.
BEGIN failed--compilation aborted at /tmp/cfoF1coqdw line 17.
Compilation failed in require at /srv/ line 412.
Tue Mar 11 20:27:31 2014 requiring '/srv/' caused error: Inappropriate ioctl for device
Tue Mar 11 20:27:31 2014 '/srv/' did not set code properly
Tue Mar 11 20:27:31 2014 '/srv/' did not set timespec properly
Use of uninitialized value $ENV{"SF_SYSTEM_FUNC"} in pattern match (m//) at /tmp/wL_HD2j9GS line 2